Trust and security
Transparency about how Pinnix handles your data. We believe you should know exactly who processes your information and how it is protected.
Security and infrastructure
Data residency
All user data stored in the EU (Hetzner, Germany). No data leaves EU/UK without a documented transfer mechanism.
Encryption in transit
TLS 1.2+ on all external connections. HSTS enabled with includeSubDomains. CSP nonce-based on app routes.
Authentication
Better-Auth with bcrypt password hashing (cost 12). TOTP-based MFA enforced for all admin accounts.
Backups
Daily encrypted backups (GPG RSA-4096). On-host and off-site copies, both encrypted at rest.
Error monitoring
Sentry (EU region) with aggressive PII scrubbing. Passwords, tokens, and emails stripped before transmission.
Access control
Role-based admin access (super_admin, ops, support). All admin actions logged to an immutable audit trail.
Sub-processor register
Third parties that process Pinnix user data on our behalf, listed in accordance with UK GDPR Article 28.
| Processor | Purpose | Region | Lawful basis | DPA |
|---|---|---|---|---|
| Hetzner Online | Compute and storage | Germany (EU) | Contract performance | Active |
| Anthropic | AI task breakdown and planning | United States | Contract performance | Active |
| Stableserver | Outbound email relay (SMTP) | United Kingdom | Contract performance | Pending |
| Sentry | Error monitoring and telemetry | EU region | Legitimate interest | Active |
| Google LLC | GA4 marketing analytics | United States | Consent (PECR) | Active |
| Cloudflare | DNS resolution and bot detection | Global (EU edges preferred) | Contract performance / Legitimate interest | Active |
| Stripe | Payment processing | United States | Contract performance | Pending |
For questions about our data practices, contact hello@pinnix.co.uk. See also our privacy policy and terms of service.